Internal Control Checklists Office of Internal Audit July 2015

This document provides tools to help establish, document, maintain, and adhere to a system of internal controls. Scope of this manual Understanding internal controls applies to all University departments and operations. The internal control checklists in this manual should not be interpreted as an all-inclusive list of all controls appropriate for each department. With time, control processes can be expected to change to reflect changes in the operating environment. How much control to employ are business decisions. When a weakness is identified in a control, management must choose among the following alternatives. • Additional supervision and monitoring • Additional or compensating controls • Accept the risk(s) associated with the identified control weakness(es). This alternative should be considered after an evaluation of costs and risk exposures. Decisions to accept significant risks, rather than address the control weakness, requires approval by senior management and a disclosure to the Audit Committee. This manual is not a substitute for existing policies and procedures. The guidance provided in this manual should be used in conjunction with existing policies and procedures.

Table of Contents Introduction ................................................................................................................................... 4 Assets .............................................................................................................................................. 5 Cash and Receipts ......................................................................................................................... 6 Control Environment.................................................................................................................... 8 Disbursements/Expenditures ....................................................................................................... 9 Financial Reporting .................................................................................................................... 11 Human Resources ....................................................................................................................... 12 Information Technology ............................................................................................................. 13 Management Oversight .............................................................................................................. 14 Research ....................................................................................................................................... 15

3

Introduction These checklists are similar to tools used by auditors when they are performing an audit of your department’s internal controls. The checklist should be completed by individuals accountable for the specific business process. They are NOT meant to be an exhaustive list of all controls – they address some of the most common internal control processes. “No” responses normally indicate a potential weakness for which there should be compensating controls within the unit. Most internal control procedures are based on “common sense” – but taking the time to periodically use these checklists to review the control processes can be a valuable tool in the process and help document your due diligence to fulfill your oversight responsibilities appropriately. A control conscious environment is a critical element of internal control. It is an environment that supports ethical values and business practices. A control conscious environment conveys an attitude of honesty and accountability at all levels. Management is responsible for “setting the tone at the top” for their areas and encouraging the highest level of integrity and ethical behavior, as well as exhibiting leadership behavior that promotes internal control and accountability. The Control Environment and Management Oversight checklists included in this document apply across all areas, and can help ensure that you have specific activities in place to demonstrate this commitment. All other checklists are organized by activity (i.e., receipts, disbursements) and further subdivided by the following types of controls, which are discussed in more detail in the companion handbook, Understanding Internal Controls. • Authorization and approval procedures to provide reasonable control over assets, liabilities, revenues, and expenditures. • Documentation of policies and procedures for prescribing and documenting the business and control processes. • Monitoring to ensure internal controls are working as intended and that every employee understands their roles and has appropriate knowledge and resources to perform their responsibilities effectively. • Reconciliation to ensure that transactions are properly calculated, classified, and recorded timely. • Safeguarding assets ensures assets (including data) are secure from theft, damage, unauthorized access, or usage. • Segregation of duties to create checks and balances, which requires segregation between the authorization of transactions, the recording of transactions, and the maintenance of assets.

4

Assets Authorization and Approval Are asset purchases approved by appropriate management? Is access to financial and other systems appropriately approved? Are original signatures/log-in credentials used to approve transactions (i.e., no signature stamps, sharing passwords, signing on behalf of others)? Documentation Does new equipment receive ID tags timely? When property is removed, is it accounted for and documented? Is Asset Management notified when new assets are received (i.e., purchased, donated, transferred, disposed)? Are vehicle use records maintained for use of University-owned vehicles? Has the unit documented department-specific policy and procedures addressing daily operating activities? Are they well understood by unit staff? Monitoring Are department property custodians familiar with the appropriate organization and department policies and procedures? Is a perpetual inventory record maintained for significant amounts of minor equipment, supplies, and other items on hand? Are appropriate account/object codes used for recording assets and inventory? Are cases of suspected fraud or theft reported immediately upon discovery (to Legal and Internal Audit)? Reconciliation Are adequate procedures in place to facilitate the periodic physical inventory, including procedures to resolve identified discrepancies in a timely manner? Are perpetual inventory records periodically reconciled to financial records? Safeguarding Assets Are items such as laptops, projectors, tools, cameras, and other ‘attractive’ items kept in a secure location when not in use? Are buildings, offices, work areas, and storerooms appropriately secured to deter unauthorized entry? Is building secure and is after-hours access limited to appropriate employees? Is access to financial system restricted to those who need it for business purposes? Segregation of Duties Are asset purchases approved by someone who will not have custody of asset? Is asset inventory performed by someone who does not approve purchases or have custody of the asset?

Yes

No

NA

5

Cash and Receipts Authorization and Approval Has each petty cash or receipt collection point been formally approved? Are all petty cash, change, and gift card funds authorized? Are petty cash purchases approved by a supervisor? Are all copies of voided receipt forms and cash register voids approved? Are all overages and shortages approved? Are delinquent account write-offs approved by appropriate level of management? If accounts receivable balances are maintained, is there a process to ensure extension of credit is in accordance with University policy? If accounts receivable balances are maintained, are write-offs approved by a supervisor who is not involved in maintaining accounts receivable balances (for example, does not accept payments, input transactions, prepare deposits, etc.)? Have all bank accounts been officially approved by organization? Are original signatures/log-in credentials used to approve transactions (i.e., no signature stamps, sharing passwords, signing on behalf of others)? Documentation Are pre-numbered or cash register receipts issued for all receipts? Are all checks restrictively endorsed upon receipt? Are overages and shortages properly documented and appropriately explained? Are all management approvals for voids, overages and shortages documented? Are university record and retention policies followed consistently? Has the unit documented department-specific policy and procedures addressing daily operating activities? Are they well understood by unit staff? Monitoring Are petty cash, change funds, and gift card amounts assessed periodically for appropriateness of amounts and use? Do cash registers have sufficient built-in-control features to prevent the operator from backing out transactions without supervisory approval or resetting cash register readings? Are surprise counts performed periodically for petty cash and other funds? Are accounts receivable aged regularly? Do older accounts receive appropriate follow-up to attempt collection? Are staff members responsible for handling cash, receipts and deposits familiar with the organization’s cash handling and deposit policies? Are deposits made timely? Are combinations/keys to safe changed when there are changes to staff that have knowledge of safe combinations or have access to safe keys? Are faculty and staff prohibited from making loans or cashing checks from cash funds? Are all receipts deposited intact, with no cash retained or expended? Are appropriate account/object codes used for recording deposits and receipts? Are cases of suspected fraud or theft reported immediately upon discovery (to Legal and Internal Audit)? Reconciliation Are pre-numbered receipts and cash register readings compared to validated deposit documentation by an individual with no cash handling responsibilities?

Yes

No

NA

6

Are receipts and deposits reconciled to financial records? Are departmental records for expenses (including internal transfers) reconciled to financials at least monthly? Are appropriate accounts receivable balances recognized in financials? Are cancellation and no show tickets reconciled periodically to patient records? Safeguarding Assets Are all cash funds, receipts, and deposits secured at all times? Is knowledge of safe combinations or access to keys restricted to employees with a need-to-access? Are pre-numbered receipts and cash register readings independently controlled and accounted for by an individual with no cash handling responsibilities? Are deposits transmitted in a locked bank bag? If credit is accepted, are procedures in place to ensure compliance with security and privacy requirements (physically restricted access, no transmission of unencrypted data, no maintenance of cardholder information, etc.)? Are procedures in place to ensure handling of patient and clinical trial participant data is in compliance with security and privacy requirements (physically restricted access, no transmission of unencrypted data, no maintenance of cardholder information, etc.)? Are passwords controlled from unauthorized use including sharing? Is a bank lock-box or remote check deposit system used for large volumes of receipts? Is access to financial system deposit, receipt, and accounts receivable functions restricted to those who need it for business purposes? Is there a process to review access to financial systems periodically to ensure no one has access who no longer needs it (i.e., transferred to different department, change in duties, terminated)? Segregation of Duties Is the receipt function segregated so the individual who prepares the deposit has no access to enter receipt or accounts receivable transactions? Does an employee with no cash handling responsibilities verify the amounts actually deposited to support logs/receipts? Are duties related to accounts receivable segregated so that no one individual can collect funds, update receivable records, and reconcile accounts receivable details? In clinical areas, does an employee with no cash handling responsibilities verify that all original fee tickets are accounted for (including cancellations and no shows)? In clinical areas, does a person who enters patient charges have no access to cash, receipts, or patient account balance? Are textbooks and other class materials sold solely through the University bookstore? Are deposits prepared by someone other than the individual who initially receives funds?

7

Control Environment Yes

No

NA

Do management/faculty/staff have the knowledge, training, and skills necessary to perform their jobs effectively? Do management/faculty/staff understand the organization’s policies regarding potential conflicts of interest? Do management/faculty/staff understand the organization’s policies governing relationships with sponsors, suppliers, creditors, and regulators? Does unit management set a good example and regularly communicate high expectations regarding integrity and ethical values? Is unit management aware of competency levels and involved in training and increased supervision when competency is low? Does unit management exhibit active concern and effort to ensure compliance with policies and procedures in addition to laws and regulations? Are exceptions to policy infrequent? When they occur are they approved and well documented? Is responsibility clearly defined and are individuals held accountable for results? Does management provide the resources needed for employees to carry out their duties? Are personnel adequately supervised and are resources available for resolving disagreements? Is inappropriate behavior consistently handled in a timely and direct manner regardless of individual’s position or status? Are critical functions adequately staffed with reasonable workloads? Are turnover rates low? Does management understand root cause of turnover? Has the unit documented department-specific policy and procedures addressing daily operating activities? Are they well understood by unit staff? Is job performance periodically assessed comparing actual performance to goals? Are employee job descriptions clearly defined in writing and communicated appropriately? Are records retained and destroyed in accordance with University guidelines? Are unexpected operating results or unusual trends investigated and resolved? Does the unit have a disaster response and recovery plan that addresses the absence of key employees and backup procedures for key business processes? Do you know who you should contact if you suspect a compliance violation or potential theft? Are the area’s key business processes aligned with the strategic goals of the entity?

8

Disbursements/Expenditures Authorization and Approval Are contracts and leases approved by appropriate parties prior to the effective date of the contract? Are original signatures/log-in credentials used to approve transactions (i.e., no signature stamps, sharing passwords, signing on behalf of others)? Documentation Does department maintain appropriate documentation explaining the business purpose for expenditures? Are university record and retention policies followed consistently? Has the unit documented department-specific policy and procedures addressing daily operating activities? Are they well understood by unit staff? Monitoring Are appropriate discounts offered being taken? If the invoice inappropriately included taxes, were they deducted prior to payment? Is a periodic review made of equipment and services to ensure they are needed? Are maintenance agreements reviewed to ensure that the equipment is still owned and used by the unit and that it is still in the unit’s best interest to continue to carry the maintenance coverage? Are appropriate account/object codes used for recording disbursements/expenses? Do you know who you should contact if you suspect a compliance violation or potential theft? Reconciliation Are encumbrances and disbursements reconciled with financial records? Are returned purchases controlled to ensure that the department receives the credit or refund due? Are disbursements and reimbursements controlled to prevent duplicate payment? Are purchase card transactions reconciled to support and approved timely? Are monthly financial records reconciled to supporting documentation? Safeguarding Assets Is issuance of purchase cards controlled to ensure all cardholders are approved and understand policies and procedures for use? Does unit management periodically review a list of departmental cardholders and their limits to determine if changes need to be made? Are purchase requisitions initiated and approved by employees specifically authorized to perform this task? Are all payments reviewed for completeness, accuracy, compliance with applicable policies, and agreement to supporting documentation before approved for payment? Are the purchase, storage, and issuance of supplies properly controlled to prevent over-purchasing, pilferage, and deterioration and damage? Is access to financial system disbursement, requisition, payment, and accounts payable functions restricted to those who need it for business purposes? Is there a process to review access to financial systems periodically to ensure no one has access who no longer needs it (i.e., transferred to different department, change in duties, terminated)?

Yes No

NA

9

Are all payments mailed directly to payee by Accounts Payable department (i.e., does not go back to department for distribution)? Segregation of Duties Are duties for initiating requisitions, receiving purchased items, processing of invoices for payment, and reconciliation of departmental financial records separated between two or more employees? Is the person responsible for approving the purchase of good or services separate from the individual reconciling financial reports? Do procedures ensure that the person who benefits from the transaction does not approve it?

10

Financial Reporting Authorization and Approval Are original signatures/log-in credentials used to approve transactions (i.e., no signature stamps, sharing passwords, signing on behalf of others)? Documentation Has the unit documented department-specific policy and procedures addressing daily operating activities? Are they well understood by unit staff? Monitoring Do faculty and staff with responsibility for approving transactions or reconciling monthly financial reports have the knowledge, training, and skills necessary to perform their duties effectively? Are faculty and staff with responsibility for approving transactions or reconciling monthly financial reports familiar with the organization’s financial and accounting policies? Do you know who you should contact if you suspect a compliance violation or potential theft? Reconciliations Are financial reports reconciled to supporting documentation? Are variances identified during reconciliation investigated and resolved? Are financial reports comparing budgeted balances with actual financial activity monitored? Safeguarding Assets Is access to financial system restricted to those who need access for business purposes? Is there a process to review access to financial systems periodically to ensure no one has access who no longer needs it (i.e., transferred to different department, change in duties, terminated)? Segregation of Duties Is individual who reviews and approves financial transactions someone other than the individual who reconciles the monthly financial report? Is account reconciliation completed by a person without signature authority on the account?

Yes

No

NA

11

Human Resources Authorization and Approval Are all new hires authorized and approved by appropriate level of management? Documentation Are reference and past work experience verification for new faculty and staff documented? Has the unit documented department-specific policy and procedures addressing daily operating activities? Are they well understood by unit staff? Monitoring Do hiring practices reflect University’s non-discrimination policy? Are references and past work experience of new faculty and staff verified? Do new faculty and staff attend required training? Are performance evaluations completed for each employee? In accordance with University policies? Are unit procedures in place to ensure that leave taken is properly approved and recorded? Are unit procedures in place to ensure that faculty and staff understand their responsibility to report outside employment activities? Are procedures in place to ensure that faculty and staff understand their responsibility to report actual or potential conflicts of interest? Reconciliations Are salary and payroll transactions periodically reconciled to financial reports? Safeguarding Assets Do new faculty/staff attend required training before access to select systems is provided? Are confidential records protected from access by those with no business need? Segregation of Duties Are duties segregated so same person cannot set up a new employee record and approve time sheets for the same individual?

Yes

No

NA

12

Information Technology Authorization and Approval Yes No Is all access to unit-managed systems/servers formally approved? Are original signatures/log-in credentials used to approve transactions (i.e., no signature stamps, sharing passwords, signing on behalf of others)? Documentation Has the unit documented department-specific policy and procedures addressing daily operating activities? Are they well understood by unit staff? Is approval of access to unit-managed systems/servers formally documented? Is unit policy on acceptable use of computer resources/data periodically communicated to all employees? Are new hires trained on this when hired? Monitoring Has a unit IT risk assessment been conducted? Does the unit have a disaster response and recovery plan that addresses the absence of key employees and backup procedures for key business processes? Do you know who you should contact if you suspect an IT security incident? Are procedures in place to allow management to adequately and efficiently detect and contain IT security incidents? Are formulas, report logic, database queries reviewed periodically to ensure they are computing correctly and pulling the correct information from other sources? Is data (in databases, spreadsheets, etc.) containing sensitive data password protected and/or located in controlled directories? Safeguarding Assets Is access to systems restricted to those who need it for business purposes? For unit-managed systems/servers, are system security and application access logs enabled and reviewed periodically for unauthorized access and anomalies? For unit-managed systems/servers, are backups of operating systems, critical data, and key software programs made on a regular basis and stored at an off-site location? Are strong password settings enforced for all unit-managed systems? Are requirements in place for removal of user access when an employee leaves the unit or is assigned to a different role within the unit? Is conformance with this requirement monitored? Is sensitive/restricted data (on networks, personal computers, and back-up media) classified and protected by restricted access, encryption, or other controls? Are users prohibited from sharing passwords? Is antivirus software installed, operating and being updated for all computing resources (laptops, desktops, servers, etc.)? Is system administration access to the production systems restricted and based on need? Are spreadsheet cells with complicated formulas locked in order to prevent accidental manipulation of the formula? Are procedures in place to apply security updates and patches to all servers, workstations, and portable computers?

NA

13

Management Oversight Monthly Activities Has the Dean/Director confirmed that all monthly account reconciliations, reviews, and analyses of significant matters have been completed? If reconciliations identify significant issues or include large reconciling items, has the Dean/Director inquired about these items, followed up to determine there is appropriate explanation or resolution, and documented such? Has the Dean/Director reviewed the monthly financial information, including budget to actual and comparison to prior year, considered whether financial activity and amounts appear reasonable and in line with expectations, and made inquiries as appropriate?

Yes

No

NA

Annual Activities Has the Dean/Director communicated the importance of, and expectations regarding completion of, annual performance appraisals and assigned someone to verify completion and report results to facilitate follow-up regarding non-compliance? Has the Dean/Director requested a report from HR verifying whether employees have completed required training and instructed non-compliant employees to complete required training courses? Has the Dean/Director verified that personnel are aware of procedures to report sexual or other forms of harassment and that management understands how to handle such reports in compliance with policy? Has the Dean/Director ensured that an annual process occurs to review/maintain/update departmental policies and procedures, verify that none conflict with University policy, and communicate updates to employees? Documentation Are management’s periodic oversight activities documented via this checklist or other means, with follow up on any issues identified attached or referenced?

14

Research Authorization and Approval Yes Are agreements and contracts approved by appropriate parties prior to the effective date of the contract? Are research grants and contracts that require a commitment of University facilities or personnel reviewed by appropriate University departments? Are original signatures/log-in credentials used to approve transactions (i.e., no signature stamps, sharing passwords, signing on behalf of others)? Documentation Has the unit documented department-specific policy and procedures addressing daily operating activities? Are they well understood by unit staff? Monitoring Are costs charged directly to a grant or contract reviewed to ensure they are reasonable, allocable, allowable, consistently treated, and meet all applicable restrictions? Do fixed price contracts include all allowable expenditures? Is hourly payroll distribution monitored to ensure that employee pay is charged to sponsored projects consistent with employee’s activities rather than availability of funds? Are salary expenses charged to sponsored projects appropriately for those faculty and staff whose compensation exceeds NIH salary cap or other budgetary restrictions? Is faculty and staff effort reviewed to ensure individuals are not “overcommitted” to current projects? Have faculty and staff received sufficient training and resources to effectively perform their duties related to effort reporting and general compliance with grant or contract terms/federal regulations? Does unit management monitor the portfolio of sponsored accounts for compliance and fiscal responsibility? Are reports from regulatory bodies considered for their internal control implications? Are procedures in place to ensure that all technical and progress reports are prepared by employees directly involved with the program and are submitted in accordance with agreement? Are procedures in place to address circumstances when an award has not yet been accepted? Are procedures in place to ensure that only allowable expenses are charged to sponsored accounts (i.e., travel, equipment, clerical)? Are purchases of fixed assets (if allowed by agreement) made at such a time within the life of the project to allow for proper utilization of that asset in accomplishment of the project objectives? Is there a control in place to ensure that expenses reported for purposes of cost sharing are not already charged directly to other sponsored projects unless specifically granted permission by both sponsors? Are all individuals involved in sponsored projects aware of export controls rules and regulations? Do you know who you should contact if you suspect a compliance violation or potential theft?

No

NA

15

Are appropriate account/object codes used for recording revenues and expenses? Reconciliation Are sponsored project financial records reconciled to supporting documentation? Is sponsor-approved budget reconciled to actual financial records? Safeguarding Assets Is access to financial system disbursement, requisition, payment, and accounts payable functions restricted to those who need it? Segregation of Duties Do procedures ensure that the person who benefits from the transaction does not approve it?

16